CVE-2025-24893

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 15.10.11 XWiki versions prior to 16.4.1 XWiki versions prior to 16.5.0RC1

Description XWiki Platform is susceptible to a remote code execution (RCE) vulnerability. An unauthenticated attacker can execute arbitrary code by sending a specially crafted request to the SolrSearch endpoint. The vulnerability stems from improper handling of user-supplied input within the SolrSearchMacros component, specifically failing to sanitize RSS feed input. This allows the injection and execution of Groovy code. The RondoDox botnet has been observed actively exploiting this vulnerability to deploy cryptocurrency miners and establish remote shells. Numerous reports indicate widespread exploitation, with over 1,200 exposed instances identified.

API Endpoint: /xwiki/bin/get/Main/SolrSearch Vulnerable Parameter: text

Recommendations XWiki versions prior to 15.10.11: Upgrade to version 15.10.11 or later. XWiki versions prior to 16.4.1: Upgrade to version 16.4.1 or later. XWiki versions prior to 16.5.0RC1: Upgrade to version 16.5.0RC1 or later. As a workaround, edit Main.SolrSearchMacros in SolrSearchMacros.xml on line 955 to match the rawResponse macro in macros.vm#L2824 with a content type of application/xml.